The Hive ransomware group has been active since mid-2021, gaining notoriety through the attack on the Memorial Health System. As Hive's most prominent incident to date, the attack shut down Memorial's entire online platform, forcing the organization to redirect emergency care patients to facilities outside its network. This year alone, it is the third ransomware attack that has directly affected civilians — following those on Colonial Pipeline and JBS Foods.
What differentiates Hive from less sophisticated ransomware attackers who commonly adopt a "spray and pray" approach (i.e., lockout as many systems as possible in the fastest time with little interest in data compromise)?
The Hive ransomware group utilizes a "double extortion" play whereby they exfiltrate a target’s critical data before locking it up, using both as levers to drive up the cost of the ransom — a tactic that’s gaining traction amongst attackers.
Given that the attacker is focused both on disruption to operations and access to valuable data, there is a level of interaction and persistence required that goes beyond the more common disruption-focused ransomware attacks. This is likely because of the additional time and effort needed to discern what data is valuable enough to warrant exfiltration.
How Hive Ransomware Works
Hive uses a variety of tactics and techniques to execute an attack:
1. The attack begins with a phishing attack against users with access to the victim environment or by targeted emails that have the user unwittingly download the malicious payload.
2. The payload is often a Cobalt Strike (which interestingly started off as a tool used by pen testers when simulating attacks) beacon – these facilitate persistence, call back, lateral movement and delivery of the secondary payload.
3. What follows next is credential dumping on the local host and mapping the Active Directory environment.
4. Lateral movement and wider spread of the malware is facilitated by the use of Microsoft’s Remote Desktop Protocol (RDP). However, the Hive group has also been known to exploit vulnerabilities as a means of progressing their attack. A case in point is the exploit of a ConnectWise Automate endpoint management vulnerability, if that tool was found in the victim network – a further indication of the supply chain risk posed by software providers.
5. Download of the secondary payload is facilitated by instructions sent to the Cobalt Strike beacon after the outbound call-back channel is established. This payload executes the malicious actions that ultimately facilitate the ransom demand.
6. The payload performs the following actions:
- Stopping services that could hinder progress or generate alerts
- Enumeration of all attached storage for files that could be relevant
- Exfiltration of specific files
- Local encryption of the same files
- Creation of ransom note
How Illumio Can Help
After initial entry into the organization, malware and ransomware commonly use lateral movement to spread within an environment, exploiting access to suitable user credentials.
Hive leverages Remote Desktop Protocol (RDP) to move laterally. RDP is often left accessible to facilitate both remote access and remote administration — and is a popular initial ransomware attack vector as a result.
Given this, there are a few steps organizations can take to improve their defenses against Hive ransomware using Illumio Core:
- Monitor: Deploy Illumio agents to all endpoints and monitor traffic flows. This will provide visibility into all flows to and from endpoints and can be used by the Security Operations Center (SOC) to identify RDP connections outside normal behavior patterns and outgoing connections to known bad actors (e.g., the Hive Command & Control infrastructure).
- Limit exposure: The more open the access between workloads, the faster ransomware can spread. Knowing that ubiquitous RDP is not required, leverage Enforcement Boundaries to block RDP by default between endpoints. Exception rules can be written to ensure access from administrative hosts and remote access gateways is still permitted. This should limit how quickly the ransomware can spread.
- Organizations can further enhance this control by leveraging Illumio Core’s Adaptive User Segmentation capability, which ensures that only users associated with an authorized Active Directory group can RDP from the dedicated jumphosts.
- To limit effectiveness of the C2 call-back channel, implement a similar boundary concept to deny access to any public IP or FQDN associated with Hive and keep these updated on a regular basis.
- Contain: When the SOC, identifies a workload that may be infected, a response playbook could be executed to implement a quarantine workload on the target, thereby ensuring the only access to it are from authorized investigative machines and forensic tools.
Protecting your organization against ransomware is difficult. But Illumio Core makes it easy to stop ransomware in its tracks, significantly mitigating the impact of a breach.
To learn more: